evil eval

This is the place for queries that don't fit in any of the other categories.

evil eval

Postby metulburr » Mon Jun 24, 2013 7:47 pm

i havent used eval() since jkbbwr used my IRC bot to read and write files as an example of how insecure eval is.
So the method would be to add the argument:
Code: Select all
{"__builtins__":None}

but then you guys say that is not enough. although all i could think of right now is __import__() and open() are pretty nasty.

So what if you just removed the ability to use packages names, builtins, and keywords. At that point would it be a back door still?

I wouldnt think there is anything left:

Code: Select all
import sys
import pkgutil
import keyword

pkg_names = []

for i in pkgutil.iter_modules():
   pkg_names.append(i[1])

forbidden = pkg_names + dir(__builtins__) + keyword.kwlist

while True:
   ok = True
   
   s = input(': ')
   for word in forbidden:
      if word in s:
         print('{} is not allowed'.format(word))
         ok = False
   
   if s and ok:
      try:
         print(eval(s))
      except:
         print(sys.exc_info())


and my example outputs:
: __import__('subprocess').Popen('ls')
imp is not allowed
subprocess is not allowed
__import__ is not allowed
open is not allowed
import is not allowed
or is not allowed
:
: 1/0
(<class 'ZeroDivisionError'>, ZeroDivisionError('division by zero',), <traceback object at 0x7fa1f78e6ab8>)
: 1+1
2
: 1+1+1*10
12
: 2*2(2)
(<class 'TypeError'>, TypeError("'int' object is not callable",), <traceback object at 0x7fa1f78e6a28>)
: a + 1
(<class 'NameError'>, NameError("name 'a' is not defined",), <traceback object at 0x7fa1f78c5ef0>)
: a = 1
(<class 'SyntaxError'>, SyntaxError('invalid syntax', ('<string>', 1, 3, 'a = 1')), <traceback object at 0x7fa1f78c5ef0>)
: a + 1
(<class 'NameError'>, NameError("name 'a' is not defined",), <traceback object at 0x7fa1f78e6a28>)
: class Test:;self.a=0
as is not allowed
class is not allowed
: open('test.txt,'w').write('hello')
test is not allowed
open is not allowed
: open('test.txt).read()
test is not allowed
re is not allowed
open is not allowed
: open('test.txt').read()
test is not allowed
re is not allowed
open is not allowed


well 'test' being in there because i have a module name test in home directory.
New Users, Read This
OS Ubuntu 14.04, Arch Linux, Gentoo, Windows 7/8
https://github.com/metulburr
steam
User avatar
metulburr
 
Posts: 1387
Joined: Thu Feb 07, 2013 4:47 pm
Location: Elmira, NY

Re: evil eval

Postby micseydel » Tue Jun 25, 2013 1:21 am

This appears to have quite a bit of false-positives. It's very easy to make something secure if you can be liberal in your false positives. (And sometimes this is the ideal behavior, of course.)
Join the #python-forum IRC channel on irc.freenode.net!

Please do not PM members regarding questions which are meant to be discussed publicly. The point of the forum is so that others can benefit from it. We don't want to help you over PMs or emails.
User avatar
micseydel
 
Posts: 1223
Joined: Tue Feb 12, 2013 2:18 am
Location: Mountain View, CA

Re: evil eval

Postby stranac » Tue Jun 25, 2013 7:18 am

Wish my computer was working...
I can think of a few things I'd like to try.
But it's even hard to read code on a phone...
Friendship is magic!

R.I.P. Tracy M. You will be missed.
User avatar
stranac
 
Posts: 1097
Joined: Thu Feb 07, 2013 3:42 pm

Re: evil eval

Postby jkbbwr » Tue Jun 25, 2013 10:54 am

You have basically restricted *every* keyword.

Although I can still ddos you
Code: Select all
1024 ** 1024 ** 1024
jkbbwr
 
Posts: 17
Joined: Mon Feb 11, 2013 10:25 am

Re: evil eval

Postby micseydel » Tue Jun 25, 2013 11:20 am

DDOS'ing is boring. On a Linux machine, that's easy to fix anyway (perhaps on Windows too). I think this is a neat try, I just think a nice solution wouldn't be so over zealous.
Join the #python-forum IRC channel on irc.freenode.net!

Please do not PM members regarding questions which are meant to be discussed publicly. The point of the forum is so that others can benefit from it. We don't want to help you over PMs or emails.
User avatar
micseydel
 
Posts: 1223
Joined: Tue Feb 12, 2013 2:18 am
Location: Mountain View, CA

Re: evil eval

Postby metulburr » Tue Jun 25, 2013 1:21 pm

well i was thinking to cut everything and just remove certian ones from teh list when wanted/needed


jkbbwr wrote:Although I can still ddos you
Code: Select all
1024 ** 1024 ** 1024

crap, i forgot about that

EDIT:
ok here is my solution to that:
Code: Select all
import sys
import pkgutil
import keyword
import multiprocessing

def control_eval(s):
   print(eval(s))

pkg_names = []

for i in pkgutil.iter_modules():
   pkg_names.append(i[1])

forbidden = pkg_names + dir(__builtins__) + keyword.kwlist

while True:

   ok = True
   
   s = input(': ')
   for word in forbidden:
      if word in s:
         print('{} is not allowed'.format(word))
         ok = False
   
   if s and ok:
      try:
         p = multiprocessing.Process(target=lambda:control_eval(s))
         p.start()
         p.join(10)
         if p.is_alive:
            print("process killed")
            p.terminate()
            p.join()
         #print(eval(s))
      except:
         print(sys.exc_info())
New Users, Read This
OS Ubuntu 14.04, Arch Linux, Gentoo, Windows 7/8
https://github.com/metulburr
steam
User avatar
metulburr
 
Posts: 1387
Joined: Thu Feb 07, 2013 4:47 pm
Location: Elmira, NY


Return to General Coding Help

Who is online

Users browsing this forum: No registered users and 3 guests

cron